dfx-finance / protocol-v2 Goto Github PK

In light of the recently published post-mortem, I was reviewing the existing audit coverage for this version of the protocol and saw that the Trail of Bits audit is included (it was imported with the rest of the audits in #73).

Having read the ToB audit when it was first published, I had assumed it was for V1. Slightly confused, I attempted to retrieve the commit specified in the report (906bd5274dcd07c458e6bbd6f13adced873ac952), only to realise it really was for the V1 repo.

Whilst more communication is certainly better when it comes to security audit coverage, I think this communication would benefit from more clarity surrounding what exactly has been audited by who. I suppose the easiest fix would be to create subdirectories for each protocol version and have the relevant reports contained within those?

• check for unused contracts
• remove unused contracts

• make sure that the whole file is not being used but a git reference

• Port to forge
• Fuzzing

• Port to forge
• Fuzzing

https://github.com/dfx-finance/protocol/blob/v2/contracts/CurveFactoryV2.sol#L99-#L102
Curve Factory V2 deploys a new USDC-USD assimilator with every new curve. Should change this because of it would cost a lot of money redeploying the same contract every time.

• Issue #36 (Oracle Front Run):
  PR: Will set up AMM infra post audit see discussion here new issue here

• Issue #37 (Missing Proxy Protection)
  PR here

• Issue #38 (DepositWithWhitelist Validation)
  PR here

• Issue #39 (Unclear Error)
  PR here

• Issue #40 (Emergency State Clarification)
  PR here

• Issue #41 (Transactable Check)
  PR: Is intentional see discussion here

• Issue #42 (Protected Function)
  PR here

• Issue #43 (Verification)
  PR here

• Issue #44 (newAssimilator Definition)
  PR here

• Issue #45 (Overwriting Curve)
  PR here

• Issue #46 (Potential Time Lag)
  PR here

• Issue #47 (Unnecessary Function)
  PR here

• Issue #48 (Library Update)
  PR here

• Issue #49 (Currency Check)
  PR here

• Issue #50 (Equivalent Function)
  PR here

There are problems with deploying ANY contracts through foundry's forge create as well as forge script both don't work under any RPC i.e. alchemy. I even tested with multiple gas multipliers with no luck. Will need to open up an issue with foundry. Current work around will use a hardhat project to deploy. Mainnet should be working fine as I have tested on Goerli.

[] Opening up foundry issue for polygon ProviderError(JsonRpcError(JsonRpcError { code: -32000, message: "transaction underpriced", data: None }))

• deploy locally
• testing
• Descriptions of functions / documentations

Using maple finance github actions is a good idea
ref: https://github.com/maple-labs/erc20/tree/main/.github/workflows

• curve address
• assimilator address
• oracle used
• token used

• Port to forge
• Fuzzing

• Port to forge
• Fuzzing

After some research probably should be using uniswapv3 code. Angle and aave doesn't fit what we're looking for i.e. mint flashloans.

Old CurveFactory Contract

function getCurve() encodes id as bytes32 curveId = keccak256(abi.encode(_baseCurrency, _quoteCurrency));
which aligns with
newCurve() encoding id as bytes32 curveId = keccak256(abi.encode(_baseCurrency, _quoteCurrency));
ref: https://github.com/dfx-finance/protocol/blob/main/contracts/CurveFactory.sol#L31-L46

New CurveFactoryV2 Contract

function getCurve() only has one param bytes32 curveId = keccak256(abi.encode(_token));
which DOES NOT align with
newCurve encoding with old id as bytes32 curveId = keccak256(abi.encode(_info._baseCurrency, _info._quoteCurrency));
ref: https://github.com/dfx-finance/protocol/blob/v2/contracts/CurveFactoryV2.sol#L85-L91

• solidity v0.8.0
• forge build

Slither needs to ignore some of the dependancies inorder to work well with github actions

Hardfork tests don't work because the infura API is no longer supported. Will have to store in github actions.

• Port to forge
• Fuzzing